Isolate a DC - Part 2: Reset SYSVOL Sync State

This is Part 2 of a multi part blog post covering the steps to Isolate a Domain Controller - if not emotionally, then logically.

Reset your DFSR SYSVol State

A DC booting into it’s own little world wont become healthy until SYSVOL has completed a sync with a partner in its domain, now this step is optional if your domain is temporary, but if you ever want to promote a new DC, or have a beautiful clear DCDIAG, then you’ll need to force SYSVOL into a synced state. Not by threatening to put it to bed early, but instead by tweaking its msDFSR-Options on its SYSVol Subscription object.

function Reset-SYSVOLSyncState{
    set-adobject "cn=sysvol Subscription,cn=domain system volume,cn=dfsr-LocalSettings,$((get-adcomputer $(&hostname)).distinguishedname)" -Replace @{'msDFSR-Options'=1}
    restart-service DFSR
}

Reset-SYSVOLSyncState

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice